Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp12619ybl; Mon, 2 Dec 2019 06:57:27 -0800 (PST) X-Google-Smtp-Source: APXvYqwRTbU80Bazv4bC7V0WQHOpCn+7UWDZ1GE17iUNlieAb8BgRgAJ6lmBi52ChC7/WmguO52n X-Received: by 2002:a05:6402:17c6:: with SMTP id s6mr59119920edy.22.1575298647401; Mon, 02 Dec 2019 06:57:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575298647; cv=none; d=google.com; s=arc-20160816; b=vRzmbP2Q4EPqwC2ij/DJEN+7CQy2H6zuNM23zIvBwmsUXTjOQiYCnffH/Rf8j0cPpY 8vC5WjX4FCoApfmRNmOVKRy8uJJDaXeTAPjbuy62HkDtLTKj+iAkYsatByguMt42z114 cSveVpVtdJdReoop3r1uxbNOuMDJLfHLBaRIeKV4CyOiIxqKykKVfOf3kkD7OpAcRUE6 UK54SgzLKn8y0sGyJwytrszD2yLtDF4wb9NUE77FBW2KtZv+q4nvrJTAnlVtFaq5a05f 1zRf6RGiu/faPySGSFyPPBfVz3S2/MhphsMJEz1EYyCLXgzKqnIayO4Ok1uG1vjZPi+e IwCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:feedback-id:content-transfer-encoding :mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:dmarc-filter:dkim-signature:dkim-signature; bh=KV7GUMLVZNsZMaSouaz4fwXJWXzm7YUURgZ74yX9gPg=; b=X5lz/whUPX2k7n7kOxt7FShm0xwE9s1i6r2vvCT4P+LXDv+qxf7gzEAg2B7r6UKS/c Y5bS3gfJs3M+tezMVq7Rd2ryWphaOJiztxK+CjzfbiaqINKjGUj/wNhGZa5i4MrNkMrE f9BZI0ERxeDiPxOlgWwKq7eJ0+xiCtXRSnWG/yi8LMX0nlMPRuGepZLEwnjr5Qyf6WxI 8bW+RxMefWGLSRSNZhytf/bshzsTReSztF/aTeoTs9r+417ehxGkmu38IcgAaGlOr6b9 WRd3sY6i6NrZlMxXzRw+lAb2FlcMKktEH2FvW9ZGXu+gPH8pILv4R8WoPl2CEOv+bkh7 8hyw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@codeaurora.org header.s=zsmsymrwgfyinv5wlfyidntwsjeeldzt header.b=etLMqc9U; dkim=pass header.i=@amazonses.com header.s=gdwg2y3kokkkj5a55z2ilkup5wp5hhxx header.b=PEg3mC3n; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h14si3856037ejj.4.2019.12.02.06.56.38; Mon, 02 Dec 2019 06:57:27 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@codeaurora.org header.s=zsmsymrwgfyinv5wlfyidntwsjeeldzt header.b=etLMqc9U; dkim=pass header.i=@amazonses.com header.s=gdwg2y3kokkkj5a55z2ilkup5wp5hhxx header.b=PEg3mC3n; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727418AbfLBOyw (ORCPT + 99 others); Mon, 2 Dec 2019 09:54:52 -0500 Received: from a27-10.smtp-out.us-west-2.amazonses.com ([54.240.27.10]:40394 "EHLO a27-10.smtp-out.us-west-2.amazonses.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727362AbfLBOyw (ORCPT ); Mon, 2 Dec 2019 09:54:52 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=zsmsymrwgfyinv5wlfyidntwsjeeldzt; d=codeaurora.org; t=1575298492; h=From:To:Cc:Subject:References:Date:In-Reply-To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding; bh=1BQ4r9/xpX+9Yw4USyRxqrSypd0XnWFg2wq//swz0nw=; b=etLMqc9UJ0zmDtuMIadWs8Sb1RChIeZgGej9WPbOKeF2Gufm5Gvss3DJPv6ydZOi 2oMkV+bf5r9UJ7O8xae3cmdmBM5abmugTMAWp+mUo1oNeridO2HvO2hCKaNFE45bm/3 3j9eNaZEJu6MsN9gSBv+dPSupyVLYWYP9Fp/ZJ8c= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=gdwg2y3kokkkj5a55z2ilkup5wp5hhxx; d=amazonses.com; t=1575298492; h=From:To:Cc:Subject:References:Date:In-Reply-To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Feedback-ID; bh=1BQ4r9/xpX+9Yw4USyRxqrSypd0XnWFg2wq//swz0nw=; b=PEg3mC3nuT24XICZbhLIEugfHq3s5Ry76eMNC3sJQgVwnaR9TsIp97Bcs+IYYkHy RxMcOVyDuPY5kdAk1iwiFQadtmYvGDFa/xFMKkC4C/gyZTmvpeYqzWTLqsPwa8b2sbC XgsrDMSyD/IbkJIdIcrbWgCAbPkk/+60zDsFcOlA= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-caf-mail-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=2.0 tests=ALL_TRUSTED,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.0 DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org F1F2DC447A0 Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=none smtp.mailfrom=kvalo@codeaurora.org From: Kalle Valo To: qize wang Cc: linux-wireless@vger.kernel.org, amitkarwar@gmail.com, nishants@marvell.com, gbhat@marvell.com, huxinming820@gmail.com, kvalo@codeaurora.org, greg@kroah.com, dan.carpenter@oracle.com, solar@openwall.com Subject: Re: [PATCH v3] mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame() References: <20191129101054.2756-1-wangqize888888888@gmail.com> Date: Mon, 2 Dec 2019 14:54:52 +0000 In-Reply-To: <20191129101054.2756-1-wangqize888888888@gmail.com> (qize wang's message of "Fri, 29 Nov 2019 18:10:54 +0800") Message-ID: <0101016ec71b6643-65bb0c52-29a0-456e-aa6d-6a4649e28a03-000000@us-west-2.amazonses.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SES-Outgoing: 2019.12.02-54.240.27.10 Feedback-ID: 1.us-west-2.CZuq2qbDmUIuT3qdvXlRHZZCpfZqZ4GtG9v3VKgRyF0=:AmazonSES Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org qize wang writes: > mwifiex_process_tdls_action_frame() without checking > the incoming tdls infomation element's vality before use it, > this may cause multi heap buffer overflows. > > Fix them by putting vality check before use it. > > IE is TLV struct, but ht_cap and ht_oper aren=E2=80=99t TLV struct. > the origin marvell driver code is wrong: > > memcpy(&sta_ptr->tdls_cap.ht_oper, pos,.... > memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,... > > Fix the bug by changing pos(the address of IE) to > pos+2 ( the address of IE value ). > > v3: change commit log > > Signed-off-by: qize wang Applied manually (removed the changelog from commit), thanks. 1e58252e334d mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_fra= me() --=20 https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatc= hes